Can Your SOC Use More Visibility?

Posted September 5, 2018

The Security Operation Center (SOC) is an intricate ecosystem of personnel, network equipment, cybersecurity appliances, traffic and flow data, all working to manage the workflow from threat alerts. To minimize exposure, a SOC is designed to provide a “defense-in-depth” posture. This comprehensive approach to cybersecurity involves antivirus and endpoint tools, log management, a Next Generation Firewall (NGFW), website defenses, and other complimentary security technologies. However, SOCs have several critical limitations.

The first limitation is “paralysis of analysis.’” With each layer of defense, a level of complexity occurs. For example, a miscreant attempting to access the network may simultaneously trigger alerts for known malware, a rules-based violation from a SIEM, and an extrusion attempt by an end-user from a restricted port found by the NGFW. Redundant alerts are often mixed in with benign alerts from non-security events.

A perimeter defense only activates through alerts or an ongoing breach. Step back and think about this for a second. When a SOC analyst begins a forensic investigation, the analyst only knows that something is wrong. Their first move should be to look for bad malware hashes or perhaps look up IP addresses, fully qualified domain names, DNS, and registered owners to learn about an attack’s origins or what sites an end-user has visited and where malware has been acquired. Historically, SOC teams have had no advanced triage of the external threat environment, and they often must develop strategies on the fly.

Another problem is that traditional SOC strategies assume that threat vectors must always be signature-based. In 2018, the malefactor is pride-less. Often, an adversary can create a damning social media attack against a company’s brand or against individuals—the proverbial “fake news.”

The network is changing to expedite business use cases. From a security perspective, this brings about new challenges. Contractors may need access to a network, and integration partners often share intellectual property on the network to facilitate better operations or integrate to build a deeper security posture. However, contractors and business partners may bring their own sets of vulnerabilities to the host network.

External threat feeds can add to the aggravation. Like flow data, network performance indicators, and the investigation of alerts, external threat feed data is yet another source of information that needs to be normalized and contextualized inside the SOC.

Fundamentally, IDC believes there needs to be an approach that can complement defense-in-depth. With LookingGlass ScoutPrime, we see a platform that:

• Produces a single risk score called the Threat Indicator Confidence (TIC) score that calculates the potential impact of malware, the topography of connections to the network, and the reliability of the source.
• Provides a platform that scans the entire Internet which is a greater capability than collecting and normalizing multiple threat feeds.
• Monitors deceptive proxy activities to spot when adversaries are using APIs, fuzzes, and anagrams of keywords to make a website look authentic.
• Combines human insight with machine-readable threat intelligence to normalize data in real time. LookingGlass has over 500 algorithms designed to prioritize threat feed data and weed out redundancies.

Defense-in-depth is still effective, and cybersecurity is often the execution of many things done well. However, the next security wave may be to think outside the SOC.